Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Unlike Mozilla, Google anticipated SHA-1 errors caused by HTTPS traffic inspection systems

Lucian Constantin | Jan. 11, 2016
Google plans to ban only SHA-1-signed certificates that were issued after Jan. 1 by public certificate authorities

Mozilla decided to lift the SHA-1 ban, at least temporarily, in Firefox 43.0.4, released Wednesday.

"The latest version of Firefox re-enables support for SHA-1 certificates to ensure that we can get updates to users behind man-in-the-middle devices, and enable us to better evaluate how many users might be affected," the company said in a blog post. "Vendors of TLS man-in-the-middle systems should be working to update their products to use newer digest algorithms."

Google also plans to ban SHA-1 certificates issued after Jan. 1, starting with the next stable version of Google Chrome -- version 48. However, the company said in blog post in December that it will only ban certificates that meet three criteria: are signed with SHA-1, are issued on or after Jan. 1 and chain back to a public CA.

"Note that sites using new SHA-1 certificates that chain to local trust anchors (rather than public CAs) will continue to work without a certificate error," the company said.

Since self-generated root CA certificates like those used by man-in-the-middle HTTPS inspection systems are not "public" CAs, their users should not be affected. This might be a solution for Mozilla too when it decide to reinstate the ban.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.